WebApp Sec mailing list archives
Re: [OWASP-GUIDE] Question concerning usage of languages for webapps
From: Adrian Wiesmann <awiesmann () swordlord org>
Date: Sun, 16 May 2004 21:04:03 +0200
I have to say I find the results troublingm, as they are very open-source oriented, rather than real-world industry oriented.
As I mentioned before, the results were "everything else than representative". What I wanted to see with this short questionaire was to get the general feeling and find out if there is anything we have forgotten or missed. Like TCL or having Perl as backend. I actually tried to omit to explain in detail what the result means to the Guide v2. But here we go anyway: There are 3 ways to do web applications (of course there are more, but we can break things down to 3 types. Or better 4 but Client Side Scripting is not really an option for a complete Web Application...): - Scripting (ASP, PHP, Perl, ...) - Enhanced Applications (C, ... via CGI or something equal) - Frameworks (Java, .NET) While all these three share some common problems and mitigation tactics, they also have some very specific problems. This results in the Guide v2 having to cover all these 3 types. But it does not really matter if we cover ASP or PHP since both share some problems and best practices. Of course there are always attacks which are language specific but these will not be covered in Guide v2 for very obvious reasons.
It is my belief that such as document should refer to what's mostly used in the industry, and therefore put the two main commercial technologies (mainly ASP/ASP.Net and Java/JSP) as the top priority.
ASP != ASP.NET as mentioned above. But you are right and in a way like described above the Guide v2 will cover that topic. Regards, Adrian P.S: The result from the questionary allows a few conclusions which I leave to the reader to choose from: - webappsec members are mostly from the open source community - developers of commercial applications are not interested in web security - the result was representative :)
Current thread:
- RE: [OWASP-GUIDE] Question concerning usage of languages for webapps Imperva Application Defense Center (May 16)
- Re: [OWASP-GUIDE] Question concerning usage of languages for webapps Adrian Wiesmann (May 16)
- RE: [OWASP-GUIDE] Question concerning usage of languages for webapps Chris Todd (May 17)
- <Possible follow-ups>
- RE: [OWASP-GUIDE] Question concerning usage of languages for webapps Imperva Application Defense Center (May 17)
- RE: [OWASP-GUIDE] Question concerning usage of languages for webapps Imperva Application Defense Center (May 17)